$vt_results
The $vt_results virtual table retrieves the result sets of searches completed (or attempted) in the past.
// get the results of the search 1704236905683.wgocax, if available to the current user
dataset="$vt_results" jobId="1704236905683.wgocax"Purpose
Use $vt_results to access the results of previously executed searches without having to rerun
them. This can be particularly useful for iterative analysis or when you want to reference the results of multiple
searches in a single query.
Mind that although $vt_results doesn’t rerun the actual query, it searches the results of the specified searches,
which can lead to minor credit consumption. This is different than
opening a search from History, which only loads the cached results.
Permissions and Limits
| Search Member Type | Permissions |
|---|---|
| Admin | Can access the results of all searches in the organization. |
| Editor or User | Can access the results of only those searches that they ran themselves or that were shared with them. |
You can access previous search results for as long as they’re kept in the system. By default it’s 7 days, but you can change this in Settings > Search > **Limits > Search history TTL.
$vt_results cannot access the results of searches that are still running.
Variations
By default, $vt_results can access only the results of successfully completed searches. However, you precede this Dataset with the set statement’s allow_incomplete_results option to also access the results of failed or canceled searches. This option is false by default. Set it to true using syntax like this:
set allow_incomplete_results=true;
dataset="$vt_results" jobId=<some-ID>Syntax
dataset="$vt_results"
// either:
jobId="SearchId"
// or:
jobName="SavedSearchName" [execution > -NumberOfPreviousRuns]Parameters
| Name | Type | Description |
|---|---|---|
SearchId | string | The ID of the search whose results you want to access. You can find the ID of every search in its Details, or in History. For multiple IDs, use square brackets and commas: jobId=["SearchId1", "SearchId2"]. |
SavedSearchName | string | The name (not ID) of the saved search whose results you want to access. By default, you’ll get the results of the latest execution that saved search, unless you use the the execution parameter.For multiple names, use square brackets and commas, for example: jobName=["SavedSearchName1", "SavedSearchName2"]. |
NumberOfPreviousRuns | intor * | Which of the past executions of the saved search to load. If not specified, only the latest run is loaded.execution = 0 (default) loads the last run.execution = -1 loads the run before last.execution > -1 loads the last two runs together.execution > -2 loads the last three runs together.execution = * loads all runs kept in history.Works only with the SavedSearchName specified. |
Returns
Returns the results of the specified searches, in their original format.
Examples
Get the Results of Multiple Previous Searches
Get the results of all completed searches whose IDs are between 1704236905600 and 1704236906000.
dataset="$vt_results"
| where jobId>"1704236905600" and jobId<"1704236906000"Get the Results of a Previous Run of a Saved Search
Get the results of the last run of a saved search named mySavedSearch.
dataset="$vt_results" jobName="mySavedSearch" execution = 0
// or simply:
dataset="$vt_results" jobName="mySavedSearch"Get the run before last:
dataset="$vt_results" jobName="mySavedSearch" execution = -1Get the Results of Multiple Previous Runs of a Saved Search
Get the results of the last two executions of a saved search named mySavedSearch.
dataset="$vt_results" jobName="mySavedSearch" execution > -1Get the last three runs:
dataset="$vt_results" jobName="mySavedSearch" execution > -2